Exploring eBPF for Windows: Opportunities and Limitations

Windows users can now experiment with eBPF, but significant limitations mean this powerful Linux tool isn't ready for production on Windows yet.

Christopher Tozzi, Technology analyst

November 4, 2024

4 Min Read
Windows 11 logo on laptop screen
Alamy

If you support Linux environments, you can use the extended Berkeley Packet Filter, or eBPF, to revolutionize tasks like application performance management and security.

But what if you use Windows? Can you take advantage of eBPF for Windows, too?

The answer — for now, at least — is "sort of." Windows support for eBPF is available, but with some significant limitations.

What Is eBPF?

The extended Berkeley Packet Filter, or eBPF, is a technology that makes it possible to run custom code in "kernel space." This means that the code runs as part of the operating system, where it is hyper-efficient. The programs executed by eBPF also undergo a validation process and run in sandboxed environments, helping to mitigate security and stability risks.

Using eBPF, system administrators can do things like monitor network traffic or observe application performance metrics through the kernel, without the overhead of running traditional monitoring software. Likewise, security teams can use eBPF to monitor for malicious activity.

What makes eBPF especially great is that it doesn't require kernel code to be recompiled. Nor does it make use of kernel modules, which can pose security and stability risks if they are buggy. With eBPF, you simply load custom code into the kernel, execute it, and monitor the output.

Related:ITPro Today’s 2024 IT Priorities Report

Does eBPF Work on Windows?

Originally, eBPF worked only on Linux. But in 2021, Microsoft announced an initiative to bring eBPF to Windows.

The goal behind the eBPF for Windows project is to make it possible to use the eBPF tools and libraries that currently exist for Linux within Windows environments. The project does this using a Windows eBPF interpreter, which can execute eBPF code inside the Windows kernel. It also provides wrappers for Windows kernel APIs, which eBPF programs can use to collect the same types of data from Windows that they would collect on Linux.

With these components in place, it's theoretically possible to take source code for eBPF programs designed for Linux, compile it, then load it and run it on Windows.

This means that eBPF for Windows is not a fork of eBPF for Linux. Nor is it a framework that provides the same functionality but in an entirely different way. It's an attempt to allow eBPF tooling to work consistently on both Linux and Windows — similar to how the Windows Subsystem for Linux makes it possible to set up authentic Linux environments on Windows systems.

How to Install eBPF for Windows

To install eBPF on a Windows PC or server, you need an operating system with a kernel debugger attached or one that runs in test-signing mode. The easiest way to meet this criteria is to set up a virtual machine using Microsoft Hyper-V and running the following command within the VM to enable test-signing mode:

Related:ITPro Today's Linux Commands Cheat Sheet

bcdedit.exe -set TESTSIGNING ON

Reboot the VM after running the command for the change to take effect. For detailed instructions, refer to the eBPF for Windows documentation.

After this, you can download an MSI installer file for eBPF from GitHub. Execute it and follow the instructions to complete the eBPF installation process.

Once eBPF is installed, you can begin running eBPF programs in the Windows shell.

Limitations of eBPF for Windows

At present, eBPF works on Windows, but it's subject to a variety of challenges:

  • Because eBPF for Windows requires operating systems to have kernel debuggers attached or to run in test-signing mode, it's not practical for use on production systems, which typically would not meet either of these criteria.

  • The "hooks" that eBPF programs use to collect data are not always the same on both Windows and Linux. As a result, not all eBPF programs for Linux will work on Windows.

  • The completeness of eBPF libraries and APIs for Windows currently varies, which also means that some programs may not work.

In short, Windows eBPF remains very much a work in progress. It's viable for experimentation but not for real-world use.

When Will eBPF for Windows Be Released?

Windows eBPF is available for experimentation purposes today. But it remains unclear when (or even if) a production-ready version of eBPF for Windows will appear.

Microsoft has made no announcements about a timeline for eBPF development. The company has also been pretty quiet about eBPF for Windows since it announced the project three years ago.

Development activity on GitHub for Windows eBPF has been relatively steady, as the following graph of commits shows; however, the pace of change seems to have slowed over the past year.

development activity for Windows eBPF

So, if you're eager to put eBPF into production on a Windows system, the best advice we can offer at present is not to hold your breath because it may be years before Windows eBPF reaches that point. But you can at least experiment with eBPF on Windows systems in the meantime.

Read more about:

Technical Explainer

About the Author

Christopher Tozzi

Technology analyst, Fixate.IO

Christopher Tozzi is a technology analyst with subject matter expertise in cloud computing, application development, open source software, virtualization, containers and more. He also lectures at a major university in the Albany, New York, area. His book, “For Fun and Profit: A History of the Free and Open Source Software Revolution,” was published by MIT Press.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like